Device Intelligence Check
Run a device intelligence check
This check can only be initiated through a Workflow Session and is not supported for direct API calls.
Learn more about Device Intelligence Checks.
Result object
The result object is only returned when the status of the check is complete . It has two components - outcome and breakdown.
Outcome
The outcome attribute represents the overall check result. Returned values include:
clear: Indicates every analysis type conducted returned a successful result.attention: Indicates at least one of the analysis results requires attention.
Breakdown
The breakdown comprises the following objects:
physicalDeviceAnalysis object
The physical device analysis results. It has the following constituents:
deviceEmulator: Indicates if the device is an emulator ( Android only).rootedApp: Indicates the app has been rooted ( Android only).browserTampering: Indicates the browser has been tampered with.jailbrokenDevice: Indicates the device has been jailbroken ( iOS only).clonedApp: Indicates the presence of app cloning, such as a fully duplicated application or one launched within a non-primary profile ( Android only).virtualMachine: Indicates if a browser running inside a virtual machine (e.g. VMWare) was used.locationSpoofing: Indicates if a mobile device has location spoofing enabled.suspiciousBrowser: Indicates the device is using a suspicious browser such as Tor.fridaDetection: Indicates if Frida was being used.previouslyEnrolledDevice: Indicates if the device has been used by other clients before during onboarding.
networkAnalysis object
The network analysis results. It has the following constituents:
vpnDetection: Indicates whether a virtual private network (VPN) was used.proxyDetection: Indicates whether an IP address was used that is public proxy provider.
botDetectionAnalysis object
The bot detection analysis results. It has the following constituents:
botDetection: Indicates whether a bot was used.
timelineAnalysis object
The timeline analysis results. It has the following constituents:
deviceTimelineAnalysis: Indicates whether the client’s use of devices across multiple sessions is suspicious.networkTimelineAnalysis: Indicates whether the client’s use of networks across multiple sessions is suspicious.
deviceData object
Data extracted about the devices. It has the following constituents:
devices: Array of the devices used.deviceId: A unique identifier for the device.outcome: Whether the device is suspicious, eitherattention,not_processedorclear.operatingSystem: The operating system of the device.appName: The name of the app being used.majorVersion: The major version of the app.fullVersion: The full version of the app.device: The type of device e.g.iOS-Device.userAgent: The user agent.incognito: A boolean withtrueif the browser was in incognito or private mode.sessionsWhenDetected: A list of sessions when the device was detected.sessionId: ID of the workflow session.timestamp: When the device was logged in this session.
deviceTimelineData object
Data extracted about the devices over multiple verification sessions. It has the following constituents:
incidents: A list of the suspicious incidents.sessionId: ID of the session where it was suspicious.reason: A reason code relating to the reason this incident was suspicious.
networkData object
Data extracted about the networks. It has the following constituents:
networks: Array of the networks used.ipAddress: The IP address of the network.sessionsWhenDetected: A list of sessions when the device was detected.sessionId: ID of the session.timestamp: When the device was logged in this session.
vpn: Data about any VPN being used.isVpn: Boolean indicating if a virtual private network was used.timezoneMismatch: Boolean indicating if the browser timezone doesn't match the timezone inferred by the IP address.publicVPN: Boolean indicating whether the IP address is owned and used by a public VPN service provider.auxiliaryMobile: Indicated if a VPN was detected in more extensive mobile specific checks.osMismatch: Indicates whether the operating system detected from browser is different to the operating system inferred from the network.relay: Indicates if the request IP address belongs to a relay service provider such as Apple Private relay or Cloudflare Warp.
geoLocationDetails: Data about the location of the IP address of the associated network.accuracyRadius: The IP address is likely to be within this radius (in km) of the specified location.address: This will be the structured address, which includes the following:latlong: The address latitude and longitude.line: The address line.city: The address city.state: The address state.postalCode: The address postal code.country: The address country. This will be the two-letter country ISO code..
asn: Data about the autonomous system managing the network.asn: The autonomous system number (ASN) associated with the IP address.name: The name of the organization that owns the ASN.network: The network range associated with the ASN.
datacenter: Indicates if the IP address belongs to a known data centre or cloud hosting provider.result: Boolean indicating whether the IP address is associated with a data centre.name: The name of the data centre or hosting provider if available.
networkTimelineData object
Data extracted about the networks over multiple verification sessions. It has the following constituents:
incidents: A list of the suspicious incidents.sessionId: ID of the session where it was suspicious.reason: A reason code relating to the reason this incident was suspicious.
Device incident reason codes
new_operating_system_detected
A device with an operating system that has not been used before was recorded in this session. Does not flag on the first device used.
many_devices_used_in_session
More than one device was used during this session. The only exception is in cross-device scenarios, such as when a session begins on a laptop and is later continued on a phone, which is a common scenario.
Network incident reason codes
large_network_location_variation
The location of networks detected within a session varied by more than 100km (or what was configured in the workflow)
networks_in_different_countries
The location of the networks detected across all sessions varied in terms of country.
new_country_detected
A network with location from an unseen country was detected in this session. Does not flag for the first seen country.
multiple_new_countries_detected
Multiple networks with locations from unseen countries were detected in this session.
many_networks_used_in_session
Six or more networks were used in a single session.
Sample Response
{
"id": "6231d54079f59b1530fc76e3",
"entityName": "John Doe",
"type": "ssn_check",
"clientId": "6230d4ab58ed4a434afbf2cc",
"status": "complete",
"result": {
"outcome": "clear",
"breakdown": {
"physicalDeviceAnalysis": {
"deviceEmulator": "clear",
"rootedApp": "clear",
"browserTampering": "clear",
"jailbrokenDevice": "clear",
"clonedApp": "clear",
"virtualMachine": "clear",
"locationSpoofing": "clear",
"suspiciousBrowser": "clear",
"fridaDetection": "clear",
"previouslyEnrolledDevice": "clear"
},
"networkAnalysis": {
"vpnDetection": "clear",
"proxyDetection": "clear"
},
"botDetectionAnalysis": {
"botDetection": "clear"
},
"timelineAnalysis": {
"deviceTimelineAnalysis": "clear",
"networkTimelineAnalysis": "clear"
},
"deviceData": {
"devices": [
{
"deviceId": "......",
"outcome": "clear",
"operatingSystem": "iOS",
"appName": "CcSampleApp",
"majorVersion": "67",
"fullVersion": "67",
"device": "iOS-Device",
"userAgent": "CcSampleApp/67 CFNetwork/1568.200.51 Darwin/24.1.0"
"incognito": false,
"sessionsWhenDetected": [
{
"sessionId": "l23j4ll2342",
"timestamp": 7399001291
}
]
},
{
"deviceId": "......",
"outcome": "attention",
"operatingSystem": "iOS",
"appName": "CcSampleApp",
"majorVersion": "67",
"fullVersion": "67",
"device": "iOS-Device",
"userAgent": "CcSampleApp/67 CFNetwork/1568.200.51 Darwin/24.1.0"
"incognito": false,
"sessionsWhenDetected": [
{
"sessionId": "l23j4ll2342",
"timestamp": 7399001291
}
],
"clientsPreviouslyEnrolledWith": [
"jom3on9823c231230ss"
]
}
]
},
"deviceTimelineData": {
"incidents": [
{
"sessionId": "al3k4l2l3m4",
"reason": "many_devices_used_in_session"
},
{
"sessionId": "l23j4ll2342",
"reason": "new_operating_system_detected"
}
]
},
"networkData": {
"networks": [
{
"ipAddress": "82.2.156.115",
"sessionsWhenDetected": [
{
"sessionId": "l23j4ll2342",
"timestamp": 7399001291
}
],
"vpn": {
"isVpn": false,
"timezoneMismatch": false,
"publicVPN": false,
"auxiliaryMobile": false,
"osMismatch": false,
"relay": false
},
"geoLocationDetails": {
"accuracyRadius": 10,
"address": {
"country": "GB",
"city": "Tower Hamlets",
"postalCode": "E14",
"latlong": "51.5064,-0.02",
},
"timezone": "Europe/London"
},
"asn": {
"asn": "4087",
"name": "Virgin Media",
"network": "83.2.0.0/16"
},
"datacenter": {
"result": false,
"name": ""
}
}
]
},
"networkTimelineData": {
"incidents": [
{
"sessionId": "al3k4l2l3m4",
"reason": "multiple_new_countries_detected"
},
{
"sessionId": "al3k4l2l3m4",
"reason": "many_networks_used_in_session"
},
{
"sessionId": "l23j4ll2342",
"reason": "large_network_location_variation"
}
]
}
}
},
"updatedAt": "2025-01-01T12:17:06.046Z",
"createdAt": "2025-01-01T12:17:04.809Z"
}Last updated
Was this helpful?